SHA-256 vs MD5: The Key Differences
MD5 and SHA-256 are both cryptographic hash function algorithms that take any input and produce a fixed-length "fingerprint" (digest). But they differ enormously in security, output size, and appropriate use cases. Using the wrong one can be a serious security mistake.
Quick Comparison
| Property | MD5 | SHA-1 | SHA-256 | SHA-512 |
|---|---|---|---|---|
| Output size | 128 bits (32 hex) | 160 bits (40 hex) | 256 bits (64 hex) | 512 bits (128 hex) |
| Speed | Fastest | Fast | Medium | Slower |
| Collision resistance | Broken | Broken | Strong | Very strong |
| Security status | Cryptographically broken | Deprecated | Recommended | Recommended |
| Part of the SHA-2 family | No | No (SHA-1) | Yes | Yes |
What Is a Hash Function?
A cryptographic hash function takes an input of any size and produces a fixed-size output with these properties:
- Deterministic: The same input always produces the same output
- One-way: You cannot reverse-engineer the input from the output
- Avalanche effect: A tiny change in input produces a completely different output
- Collision resistant: It should be computationally infeasible to find two different inputs with the same hash
Why MD5 Is Broken for Security
MD5 was designed in 1991 and was once considered secure. It's been comprehensively broken since the early 2000s:
- Collision attacks: Researchers can generate two different files with the same MD5 hash in seconds on a laptop. This breaks its core security property.
- Preimage attacks: Practical preimage attacks exist in specific contexts
- Rainbow tables: Massive precomputed tables of MD5 hashes exist for common passwords. Cracking an MD5-hashed password is often instant
- Speed (a weakness here): MD5's speed makes it easy to brute-force modern GPUs, which can compute billions of MD5 hashes per second
The US government deprecated MD5 for security use in 2008. It appears on virtually every "do not use" list in cybersecurity.
When MD5 Is Still Acceptable
Despite being broken for security, MD5 is still widely used for non-security purposes:
- File checksums (non-adversarial): Verifying a downloaded file wasn't corrupted in transit (where you trust the source)
- Cache keys: Generating short, unique identifiers from longer strings
- Database deduplication: Finding duplicate files or records (where collision attacks aren't a concern)
- Non-cryptographic hashing: Hash maps, quick lookups
Rule of thumb: if the hash's integrity can be attacked by an adversary, do not use MD5. If it's purely for deduplication or indexing in a trusted context, MD5 is fine.
SHA-256: The Modern Standard
SHA-256 is part of the SHA-2 family, designed by the NSA and standardised by NIST. As of 2025:
- No known collision attacks
- No known preimage attacks
- Recommended by NIST, browsers, TLS 1.3, and virtually all modern standards
- Used in Bitcoin's proof-of-work (which has been running with trillion-dollar stakes since 2009 without a break)
Use Cases: Which Hash Function to Choose
| Use case | Recommended | Why |
|---|---|---|
| Password storage | bcrypt, Argon2, scrypt | These are designed to be slow — not MD5/SHA-256 |
| File integrity (security) | SHA-256 or SHA-512 | Collision-resistant, can't be spoofed |
| Digital signatures | SHA-256 (via RSA/ECDSA) | TLS, code signing standard |
| HMAC / API authentication | HMAC-SHA256 | Strong MAC, widely supported |
| TOTP (2FA) | HMAC-SHA1 (standard), SHA-256 optional | HMAC context makes SHA-1 still safe here |
| Checksums (trusted source) | MD5 or SHA-256 | Either works; SHA-256 preferred |
| Cache keys / deduplication | MD5 or SHA-1 | Speed matters more than security here |
Never Use MD5 or SHA-1 for Passwords
Storing passwords as MD5 or SHA-1 hashes (even with a salt) is dangerously insufficient. These algorithms are designed to be fast, which makes them easy to brute-force. A single GPU can try billions of MD5 hashes per second.
Always use a purpose-built password hashing algorithm: Argon2id (current best practice), bcrypt, or scrypt. These are intentionally slow and memory-hard to resist brute-force attacks.
Try Our Hash Generator
Generate MD5, SHA-1, SHA-256, SHA-384, and SHA-512 hashes instantly in your browser with our free Hash Generator. All computation happens client-side; nothing is sent to our servers.
Frequently Asked Questions
Is SHA-256 safe forever?
No hash function is safe forever, but SHA-256 has no known weaknesses and is estimated to remain secure well beyond 2030. SHA-3 (a completely different design from SHA-2) exists as a future-proofing option, but SHA-256 remains the standard recommendation today.
Why is SHA-1 still used in TOTP if it's deprecated?
SHA-1 is deprecated for digital signatures and certificate use where collision attacks matter. In HMAC (HMAC-SHA1), the security proof is different. HMAC-SHA1 is still considered secure because HMAC's construction prevents the known collision attacks against SHA-1. TOTP uses HMAC-SHA1 as its standard, and this hasn't been broken.
What's the difference between SHA-256 and SHA-2?
SHA-2 is a family of hash functions. SHA-256 and SHA-512 are both members of SHA-2. SHA-256 produces a 256-bit hash, and SHA-512 produces a 512-bit hash. There's also SHA-224, SHA-384, SHA-512/224, and SHA-512/256. SHA-256 is the most widely deployed member.
Should I use SHA-256 or SHA-512?
SHA-256 is generally recommended for most applications. SHA-512 is marginally faster on 64-bit CPUs and provides an extra security margin. Unless you have specific performance or security requirements, SHA-256 is the standard choice.
